Anti-Fraud That's Anti-Consumer

Share

Anti-Fraud That's Anti-Consumer

When Kendall Dawson heard about PayPal, a wildly popular new service that lets surfers send money via email, he thought it would be a great way to pay for items on eBay, so he signed up.

Or rather, tried to sign up. But each time he typed his credit card number into PayPal's website, it returned a message saying the card couldn't be confirmed and to contact the credit card company. A check with the card company showed no problem with the card.

After weeks, repeated queries to PayPal, and repeated replies that the problem was on his end, Dawson finally received a short email reply that revealed the real reason his card wouldn't go through.

PayPal's fraud screening system – run by a company called CyberSource, which collects and analyzes data from more than 2,000 other Web merchants, including Amazon.com and Buy.com – had flagged his card as a fraud risk.

Dawson was first annoyed, then perplexed: "All my credit cards are in good standing," he said. "I have never once been late with a payment."

Now he wants to know exactly why his card was rejected, claiming that he should be able to see his online credit profile, just as a person denied a mortgage loan can request to see his credit report. As of Friday afternoon, PayPal had not responded to Dawson's requests.

"I'm really curious what kind of 'score' is required, and how they're determining this profile," said Dawson. "Nowhere on their site did I see any mention of this."

Merchants, of course, have the right to refuse to do business with someone without explanation, and PayPal is in no way analogous to a mortgage lender.

But the database PayPal uses isn't PayPal's alone – it's shared with more than 2,000 other Web merchants, and therefore holds significant sway over a customer's ability to buy online. Erroneous data could prohibit a customer from purchasing across a vast swath of websites.

CyberSource's database includes the purchase history of all cards used across all of its client sites. The company analyzes each new purchase request against the database, running it through a complex series of algorithms that ultimately spit out a single number between 0-99. The higher the number, the higher the likelihood that the requested transaction is fraudulent, according to CyberSource.

Red flags include sudden spending binges, purchases coming from multiple IP addresses, or purchases coming from IP addresses that have been involved in previous fraudulent transactions. Individual client companies then choose what number they consider too risky, and reject any transaction that scores above that. (Online companies, not the card holder, are financially liable for all bogus charges.)

CyberSource says it favors full disclosure of its profiles. "We're happy to disclose any history," said William Donahoo, CyberSource's VP of marketing. "But we do request that they contact the merchant first." CyberSource said it delivers the profile information to the merchant, who will in theory share it with the customer.

Problem is, not all merchants seem ready to follow-up on their end, concerned that they'll be giving out information that might help potential fraudsters beat the system.

Amazon.com, for instance, said it won't let customers see their profiles. "We don't disclose that information," said spokeswoman Patti Smith. "We simply notify the customer that their card has been rejected, and then it's up to them to contact the card provider or lending institution."But the card provider doesn't keep the CyberSource database, and, as in Dawson's case, isn't likely to know why the card was rejected. Dawson's card provider simply told him to try reentering his data at PayPal's site, making sure to enter his address exactly as it appeared on his billing statements.

For its part, PayPal said that, even if it wanted to, it couldn't deliver a customer's profile. "CyberSource just sends back the score to us," said Elon Musk, CEO of PayPal's parent company, X.com. There are no additional profile details available, he said.

But Dawson would have been comparatively happy – or would've at least saved a lot of time and consternation – if he'd simply known that he had been scored, and that his score was too high for PayPal's taste.

"The thing that really burns me up is that the people at PayPal never mentioned this (credit profiling) to me," said Dawson. "I was constantly told by (PayPal's) help staff that the trouble was on my end, and that I should just 'keep on trying.'"

"I think it would behoove us to improve our message back to customers," acknowledged PayPal's Musk. He said the company was looking into a new system to handle complaints for non-fraudulent card users who've been rejected by a CyberSource analysis.

He was quick to point out that a customer like Dawson could still sign up with PayPal by either writing a check or authorizing an electronic transfer of funds from his bank account.

Meanwhile, CyberSource said it would, if asked directly, disclose a customer's online credit profile, requiring only that the request be submitted on paper with the customer's signature.

Problem is, the credit check is invisible to customers at most websites, so they would have no way of knowing CyberSource was behind their card's rejection.

CyberSource says it hopes to alleviate that problem by convincing client merchants to post a CyberSource "protected buy" seal on their websites.

The Federal Trade Commission declined specific comment on the obligations of merchants to disclose profiles from the CyberSource database, but pointedly said it believes websites should disclose all consumer data.

"Congress should pass legislation," said FTC spokeswoman Claudia Bourne Farrell. "The FTC has gone on record favoring policy that would give consumers access to all information about them."